CN105592061A - Attack rule closure method and device - Google Patents
Attack rule closure method and device Download PDFInfo
- Publication number
- CN105592061A CN105592061A CN201510707365.2A CN201510707365A CN105592061A CN 105592061 A CN105592061 A CN 105592061A CN 201510707365 A CN201510707365 A CN 201510707365A CN 105592061 A CN105592061 A CN 105592061A
- Authority
- CN
- China
- Prior art keywords
- count
- hit
- default
- attack
- attack rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention provides an attack rule closure method and device. The method comprises: a safety gateway device obtains the hit counts of rough matching characteristics, the hit counts of accurate matching characteristics and the hit counts of the attack rule; the safety gateway device determines whether the attack rule is closed or not according to the hit counts of rough matching characteristics, the hit counts of accurate matching characteristics and the hit counts of the attack rule; and if the attack rule is closed, the safety gateway device closes the attack rule. According to the technical scheme of the invention, the attack rule closure method and device are able to automatically close the attack rule, reduce the number of opened attack rules in a characteristic database, decrease the ineffective matching process, mitigate the workload of a safety gateway device, and improve the processing performance of the safety gateway device.
Description
Technical field
The present invention relates to communication technical field, relate in particular to a kind of regular method for closing and device attacked.
Background technology
IPS (IntrusionPreventionSystem, intruding detection system) equipment is generally deployed in big-and-middle-sized enterpriseThe outlet of network egress, Intranet or the data center of industry, for the report to extranet access IntranetLiterary composition detects, and to realize the object of protection internal network security, the message of accessing outer network from inner network is examinedSurvey, to realize the control of enterprise's sensitive information. In IPS equipment, configure to comprise and attacked regular feature database, pinTo message to be detected, IPS equipment checks whether this message matches the attack rule of feature database successively, ifBased on strategy corresponding to this attack rule, message to be processed, as discard processing.
Along with attack means becomes increasingly complex and variation, in the feature database of the IPS equipment of all big enterprises, compriseAttack rule also more and more, and these to attack rules are whole unlatchings. IPS equipment need to be examined successivelyLook into message and whether match the each attack rule in feature database, workload is very large, the treatability of IPS equipmentCan reduce, even can cause IPS equipment to crash, affect the normal use of IPS equipment.
Summary of the invention
The invention provides a kind of regular method for closing of attacking, for each attack rule of having opened, instituteState attack rule and comprise rough matching feature and exact matching feature, described method comprises:
Security gateway equipment, in default measurement period, obtains hit-count, the institute of described rough matching featureState the hit-count of exact matching feature, the hit-count of described attack rule;
The hit-count of rough matching feature, described exact matching feature described in described security gateway equipment utilizationHit-count, the hit-count of described attack rule, judge whether to close described attack rule;
If so, attack rule described in described security gateway device shutdown.
The invention provides a kind of regular shutoff device of attacking, the shutoff device of described attack rule is applied in peaceFull gateway equipment, for each attack rule of having opened, described attack rule comprises rough matching featureWith exact matching feature, the shutoff device of described attack rule comprises:
Obtain module, in default measurement period, obtain described rough matching feature hit-count,The hit-count of described exact matching feature, the hit-count of described attack rule;
Judge module, for utilizing the hit-count of described rough matching feature, described exact matching featureThe hit-count of hit-count, described attack rule, judges whether to close described attack rule;
Closing module, for when judged result is when being, closes described attack rule.
Based on technique scheme, in the embodiment of the present invention, meeting under the prerequisite of user's use safety netPass equipment can utilize hit-count, the hit-count of exact matching feature, the attack rule of rough matching featureHit-count, closes corresponding attack rule automatically, makes all attack rules that feature database comprises notBe all to open, reduce the attack rule quantity of opening in feature database, checking successively whether message matesDuring to each attack rule in feature database, can reduce invalid matching process, alleviate security gateway equipmentWorkload, promotes the handling property of security gateway equipment, and does not affect the interception to attack message.
Brief description of the drawings
Fig. 1 is the flow chart of the method for closing of the attack rule in one embodiment of the present invention;
Fig. 2 is the hardware structure diagram of the security gateway equipment in one embodiment of the present invention;
Fig. 3 is the structure chart of the shutoff device of the attack rule in one embodiment of the present invention.
Detailed description of the invention
For problems of the prior art, the embodiment of the present invention proposes a kind of regular method for closing of attacking,Can be applied on security gateway equipment, security gateway equipment can be IPS equipment, IDS (IntrusionDetectionSystems, intruding detection system) equipment etc. Feature database at security gateway equipment comprises greatlyThe attack rule of amount, each attack rule includes rough matching feature and exact matching feature.
Wherein, rough matching feature can include but not limited to: AC (Aho-Corasick, multi-mode matching)Feature. Exact matching feature can include but not limited to: option feature, and/or, PCRE (PerlCompatibleRegularExpressions, regular expression) feature. Wherein, this option feature can include but not limited toOne of below or any combination: protocol type (as HTTP (HyperTextTransferProtocol, superText transfer protocol) type, TCP (TransmissionControlProtocol, transmission control protocol) classType etc.), message direction (as client sends to the message direction of server), content skew etc.
For each attack rule of having opened, the embodiment of the present invention is used for judging whether closing this and attacksHit rule, it is identical whether each attack rule can pent judgement flow process, for convenience of description, and thisIn bright embodiment, attack rule taking one and whether can pently judge that flow process describes as example.
Under above-mentioned application scenarios, as shown in Figure 1, the method for closing of this attack rule can comprise the following steps:
Step 101, security gateway equipment in default measurement period, obtain rough matching feature hit-count,The hit-count of exact matching feature, attack regular hit-count.
In the embodiment of the present invention, security gateway equipment, in default measurement period, obtains rough matching featureThe hit-count of hit-count, exact matching feature, the process of attacking regular hit-count, can compriseBut be not limited to following mode: security gateway equipment receives message in default measurement period; Security gateway equipmentJudge whether this message matches rough matching feature; If match rough matching feature, security gatewayEquipment adds 1 by the hit-count of rough matching feature, and judges whether this message matches exact matching feature;If match exact matching feature, security gateway equipment adds 1 by the hit-count of exact matching feature, andJudge whether this message matches attack rule, attacks rule if matched, will attack regular hittingNumber of times adds 1. In the time that default measurement period finishes, the hit-count of security gateway equipment acquisition rough matching feature,The hit-count of exact matching feature, attack regular hit-count.
Wherein, attack regular matching way and be mainly coupling taking feature string as main, in order to promoteJoin efficiency, the pre-matching of short keyword once conventionally, what this pre-matching process was used is characterized as roughJoin feature (as AC feature), only have in the time of pre-matching success, just carry out two of more complicated and consumption performanceInferior coupling. What this Secondary Match process was used is characterized as exact matching feature (as PCRE feature), twoInferior when the match is successful, can directly determine and attack rule match success or message is further analyzed,And whether the match is successful to determine attack rule based on analysis result, for example, in the time of Secondary Match success, according toPreset rules is screened message, determines whether message is attack message, if attack message is trueSurely attack rule match success, otherwise the match is successful to determine attack rule. For example, preset rules canFor the source IP address of specifying, in the time that the source IP address of message is the source IP address of specifying, message is to attackMessage. Again for example, preset rules can be for the keyword of specifying, when the message content of message comprises appointmentKeyword time, message is attack message.
In actual applications, the rough matching feature using due to pre-matching process is relatively simple and short and small, because ofThis message amount of hitting rough matching feature is a lot, has wrong report to a certain degree. Due to Secondary Match mistakeThe exact matching feature relative complex that journey is used, the message amount of therefore hitting exact matching feature significantly reduces,Dwindle the scope of finding attack message. When message mates after rough matching feature and exact matching feature simultaneously,Can analyze message, attack rule to determine whether message successfully matches.
For example, security gateway equipment is received message 1-message 10 in default measurement period. First judge messageWhether 1 match and attack rule 1 rough matching feature, if do not matched, finishes message 1Matching process, if matched, adds 1 by the hit-count of the rough matching feature of attacking rule 1, and sentencesWhether disconnected message 1 matches the exact matching feature of attacking rule 1, if do not matched, it is right to finishThe matching process of message 1, if matched, by the hit-count of the exact matching feature of attack rule 1Add 1, and judge that whether message 1 matches attack rule 1, if do not matched, finishes message 1Matching process, if matched, add 1 by attacking rule 1 hit-count. Right in the same wayMessage 2-message 10 is processed, and this processing procedure repeats no more.
In the time arriving default measurement period (supposing only to receive above-mentioned message 1-message 10), suppose message 1-reportLiterary composition 9 all matches the rough matching feature of attacking rule 1, and message 10 does not match attacks the thick of rule 1Slightly matching characteristic, message 1 matches the exact matching feature of attacking rule 1, and message 2-message 9 does not haveBe fitted on the exact matching feature of attacking rule 1, message 1 does not match attacks rule 1, and security gateway is establishedThe standby hit-count that can obtain the rough matching feature of attacking rule 1 is 9, attacks the exact matching of rule 1The hit-count of feature is 1, and the hit-count of attacking rule 1 is 0.
Based on message 1-message 10, security gateway equipment can also be in the same way to attack rule 2,Attack other attack rule such as regular 3 grades and judge, in this process embodiment of the present invention, repeat no more.
Step 102, the hit-count of security gateway equipment utilization rough matching feature, the life of exact matching featureMiddle number of times, attack regular hit-count, judge whether to close this attack rule. If so, execution step103; If not, do not close this attack rule, this attack rule keeps opening.
In the embodiment of the present invention, hit-count, the exact matching of security gateway equipment utilization rough matching featureThe hit-count of feature, attack regular hit-count, judge whether to close the process of this attack rule, canTo include but not limited to following mode: when the hit-count of rough matching feature is more than or equal to default the first numerical value,And the hit-count of exact matching feature is more than or equal to default second value, and attack regular hit-count etc.In the time of default third value, definite this attack rule of closing of security gateway equipment; If rough matching featureHit-count be more than or equal to default the first numerical value, the hit-count of exact matching feature is more than or equal to default theTwo numerical value, attack regular hit-count and equal any one or multiple condition in default third value notWhile meeting, definite this attack rule of not closing of security gateway equipment.
Wherein, this default first numerical value is greater than this default second value, and this default second value is more than or equal to thisDefault third value. In a kind of preferred embodiment, this default third value can be 0.
Wherein, owing to attacking in regular matching process, the once pre-matching of the short keyword (spy of useLevy as rough matching feature), only have in the time of pre-matching success, just carry out two of more complicated and consumption performanceInferior coupling (use be characterized as exact matching feature), in the time of Secondary Match success, just determine attack regularWhether the match is successful. Therefore,, in the time that a message matches attack rule, must match this attack ruleExact matching feature, in the time that a message matches the exact matching feature of this attack rule, must mateTo the rough matching feature of this attack rule. But, attack regular rough matching when a message matchesWhen feature, might not match the exact matching feature of this attack rule, attack when a message matchesWhile hitting regular exact matching feature, might not match this attack rule.
Based on above-mentioned principle, the hit-count of attacking regular rough matching feature can be more than or equal to this attack ruleThe hit-count (be generally and be far longer than) of exact matching feature, the exact matching spy of this attack ruleThe hit-count of levying can be more than or equal to the hit-count (be generally and equal) of this attack rule. Based on this, canBe greater than default second value so that default the first numerical value to be set, and default second value is set is more than or equal to default theThree numerical value. Wherein, the value of default the first numerical value, default second value all can be carried out according to practical experienceArrange, if default the first numerical value is 10, default second value is 1 or 0.
Be more than or equal to default the first numerical value when attacking the hit-count of regular rough matching feature, and attack ruleThe hit-count of exact matching feature is more than or equal to default second value, and attacks regular hit-countBe 0 o'clock, illustrate message match attack regular rough matching feature (being generally a large amount of messages matchesAttack regular rough matching feature), there is a small amount of message or do not have message to match and attack the accurate of ruleMatching characteristic, and do not have message to match this attack rule, now can close this attack rule.
Step 103, rule is attacked in security gateway device shutdown.
In the embodiment of the present invention, regular process is attacked in security gateway device shutdown, can include but not limited toFollowing mode: mode one, security gateway equipment are closed this attack rule within the default very first time, and no longerOpen this attack rule, the value of the default very first time is very short, as security gateway equipment is closed this attack at onceRule. Mode two, security gateway equipment are postponing after default the second time, if inquire this attack ruleHit-count equal default third value, within the default very first time, close this attack rule, and no longerOpen this attack rule. Be not equal to default third value if inquire the hit-count of this attack rule,Do not close this attack rule, wait for next default measurement period. Mode three, the judgement of security gateway equipment are somebody's turn to doWhether attack regular number of times of being closed continuously reaches N time. If not, within the default very first time, closeThis attack rule, and after default the 3rd time, open this attack rule, return and carry out in default statistics weekIn phase, obtain hit-count, the exact matching feature of rough matching feature hit-count, attack ruleThe process of hit-count, continues execution step 101 and step 102. If so, in the default very first timeInside close this attack rule, and no longer open this attack rule.
Wherein, the value of N can arrange arbitrarily according to actual needs, if the value of N is 5.
Based on aforesaid way two and mode three, can increase the learning time of security gateway equipment, avoid attackingRule is deleted by wrong, ensures that deleted attack rule is the attack rule that can not be matched.
In the embodiment of the present invention, security gateway equipment can also send attack rule to Network Management Equipment and close applicationRequest message, is analyzed the attack rule that need to close by Network Management Equipment. Security gateway equipment receives from netThe attack rule of tube apparatus is closed application response message, and this attack rule is closed in application response message and carried and needThe attack rule of closing. Security gateway equipment utilization attack rule is closed application response message and is closed accordinglyAttack rule (close and attack the regular attack rule of carrying in application response message of closing).
Wherein, Network Management Equipment is closed application request message in the attack rule receiving from security gateway equipmentAfter, can analyze the attack rule that need to close by webmaster personnel, and Network Management Equipment can be advised by attackClose and apply for that the attack rule that response message is closed needs sends to security gateway equipment.
Based on technique scheme, in the embodiment of the present invention, meeting under the prerequisite of user's use safety netPass equipment can utilize hit-count, the hit-count of exact matching feature, the attack rule of rough matching featureHit-count, closes corresponding attack rule automatically, makes all attack rules that feature database comprises notBe all to open, reduce the attack rule quantity of opening in feature database, checking successively whether message matesDuring to each attack rule in feature database, can reduce invalid matching process, alleviate security gateway equipmentWorkload, promotes the handling property of security gateway equipment, and does not affect the interception to attack message, Ke YiWhen ensureing matching rate, farthest ensure equipment performance.
Based on the inventive concept same with said method, in the embodiment of the present invention, also provide a kind of attack ruleShutoff device, the shutoff device of this attack rule is applied on security gateway equipment. Wherein, these attack ruleShutoff device can be realized by software, also can realize by the mode of hardware or software and hardware combining.Being embodied as example with software, as the device on a logical meaning, is the security gateway equipment by its placeProcessor, in reading non-volatile storage, corresponding computer program instructions forms. From hardware view, as shown in Figure 2, the security gateway equipment at shutoff device place of the attack rule proposing for the present inventionA kind of hardware structure diagram, except the processor shown in Fig. 2, nonvolatile memory, security gateway is establishedFor comprising other hardware, as the forwarding chip of responsible processing message, network interface, internal memory etc.; FromOn hardware configuration, this security gateway equipment may be also distributed apparatus, may comprise multiple interface cards,To carry out the expansion of message processing at hardware view.
As shown in Figure 3, the structure chart of shutoff device of the attack rule proposing for the present invention, described attack ruleShutoff device is applied in security gateway equipment, for each attack rule of having opened, described attackRule comprises rough matching feature and exact matching feature, and the shutoff device of described attack rule comprises:
Obtain module 11, in default measurement period, obtain described rough matching feature hit-count,The hit-count of described exact matching feature, the hit-count of described attack rule;
Judge module 12, for utilizing the hit-count of described rough matching feature, described exact matching featureHit-count, the hit-count of described attack rule, judge whether to close described attack rule;
Closing module 13, for when judged result is when being, closes described attack rule.
Described acquisition module 11, for receiving message in described default measurement period; Judge that described message isNoly match described rough matching feature; If match described rough matching feature, by described roughThe hit-count of joining feature adds 1, and judges whether described message matches described exact matching feature; IfBe fitted on described exact matching feature, the hit-count of described exact matching feature added to 1, and judge described reportWhether literary composition matches described attack rule, if match described attacks rule, by described attack regularHit-count adds 1; In the time that described default measurement period finishes, obtain described rough matching feature hit-count,The hit-count of described exact matching feature, the hit-count of described attack rule.
Described judge module 12, for being more than or equal to default first when the hit-count of described rough matching featureNumerical value, and the hit-count of described exact matching feature is more than or equal to default second value, and described attack ruleWhen hit-count equals default third value, determine and close described attack rule; Wherein, described pre-If the first numerical value is greater than described default second value, described default second value is more than or equal to the described the default the 3rdNumerical value.
Described closing module 13, for close described attack rule within the default very first time, and no longer opensDescribed attack rule; Or, postponing after default the second time, if inquire the regular life of described attackMiddle number of times equals default third value, within the default very first time, closes described attack rule, and no longer opensOpen described attack rule; Or, judge whether the number of times that described attack rule is closed continuously reaches N time;If not, within the default very first time, close described attack rule, and after default the 3rd time, openDescribed attack rule, returns and carries out in default measurement period, obtains hitting of described rough matching feature inferiorThe process of the hit-count of several, described exact matching feature, the hit-count of described attack rule; If so,Within the default very first time, close described attack rule, and no longer open described attack rule.
Described rough matching feature comprises: multi-mode matching AC feature;
Described exact matching feature comprises: option feature, and/or, regular expression PCRE feature.
Based on technique scheme, in the embodiment of the present invention, meeting under the prerequisite of user's use safety netPass equipment can utilize hit-count, the hit-count of exact matching feature, the attack rule of rough matching featureHit-count, closes corresponding attack rule automatically, makes all attack rules that feature database comprises notBe all to open, reduce the attack rule quantity of opening in feature database, checking successively whether message matesDuring to each attack rule in feature database, can reduce invalid matching process, alleviate security gateway equipmentWorkload, promotes the handling property of security gateway equipment, and does not affect the interception to attack message, Ke YiWhen ensureing matching rate, farthest ensure equipment performance.
Wherein, the modules of apparatus of the present invention can be integrated in one, and also can separate deployment. Above-mentioned mouldPiece can be merged into a module, also can further split into multiple submodules.
Through the above description of the embodiments, those skilled in the art can be well understood to the present inventionThe mode that can add essential general hardware platform by software realizes, and can certainly pass through hardware, but veryUnder susceptible condition, the former is better embodiment. Based on such understanding, technical scheme of the present invention in essenceThe part in other words prior art being contributed can embody with the form of software product, this computerSoftware product is stored in a storage medium, comprises that some instructions are in order to make the computer equipment (canTo be personal computer, server, or the network equipment etc.) carry out the side described in each embodiment of the present inventionMethod. It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, the mould in accompanying drawingPiece or flow process might not be that enforcement the present invention is necessary.
It will be appreciated by those skilled in the art that module in the device in embodiment can according to embodiment describe intoRow is distributed in the device of embodiment, also can carry out respective change be positioned at be different from one of the present embodiment orIn multiple devices. The module of above-described embodiment can be merged into a module, also can further split into multipleSubmodule. The invention described above embodiment sequence number, just to describing, does not represent the quality of embodiment.
Disclosed is above only several specific embodiment of the present invention, and still, the present invention is not limited thereto,The changes that any person skilled in the art can think of all should fall into protection scope of the present invention.
Claims (10)
1. attack a regular method for closing, it is characterized in that, for each attack rule of having opened, described attack rule comprises rough matching feature and exact matching feature, and described method comprises:
Security gateway equipment, in default measurement period, obtains hit-count, the institute of described rough matching featureState the hit-count of exact matching feature, the hit-count of described attack rule;
The hit-count of rough matching feature, described exact matching feature described in described security gateway equipment utilizationHit-count, the hit-count of described attack rule, judge whether to close described attack rule;
If so, attack rule described in described security gateway device shutdown.
2. method according to claim 1, is characterized in that, described security gateway equipment is at default systemIn the meter cycle, obtain hitting of the hit-count of described rough matching feature, described exact matching feature inferiorThe process of the regular hit-count of several, described attack, comprising:
Described security gateway equipment receives message in described default measurement period;
Described security gateway equipment judges whether described message matches described rough matching feature; If couplingTo described rough matching feature, described security gateway equipment adds the hit-count of described rough matching feature1, and judge whether described message matches described exact matching feature; If match described exact matchingFeature, described security gateway equipment adds 1 by the hit-count of described exact matching feature, and described in judgementWhether message matches described attack rule, if match described attack rule, by described attack ruleHit-count add 1;
In the time that described default measurement period finishes, described security gateway equipment obtains described rough matching featureThe hit-count of hit-count, described exact matching feature, the hit-count of described attack rule.
3. method according to claim 1, is characterized in that, described in described security gateway equipment utilizationThe life of the hit-count of rough matching feature, the hit-count of described exact matching feature, described attack ruleMiddle number of times, judges whether to close the regular process of described attack, comprising:
When the hit-count of described rough matching feature is more than or equal to default the first numerical value, and described exact matchingThe hit-count of feature is more than or equal to default second value, and the regular hit-count of described attack equals defaultWhen third value, described security gateway equipment determines that to close described attacks regular; Wherein, described default firstNumerical value is greater than described default second value, and described default second value is more than or equal to described default third value.
4. method according to claim 1, is characterized in that, described in described security gateway device shutdownAttack rule comprises:
Described security gateway equipment is closed described attack rule within the default very first time, and described in no longer openingAttack rule; Or,
Described security gateway equipment is postponing after default the second time, if inquire the regular life of described attackMiddle number of times equals default third value, within the default very first time, closes described attack rule, and no longer opensOpen described attack rule; Or,
Described security gateway equipment judges whether the number of times that described attack rule is closed continuously reaches N time; AsFruit is no, within the default very first time, closes described attack rule, and after default the 3rd time, opens instituteState and attack rule, return and carry out in default measurement period, obtain hitting of described rough matching feature inferiorThe process of the hit-count of several, described exact matching feature, the hit-count of described attack rule; If so,Within the default very first time, close described attack rule, and no longer open described attack rule.
5. according to the method described in claim 1-4 any one, it is characterized in that,
Described rough matching feature comprises: multi-mode matching AC feature;
Described exact matching feature comprises: option feature, and/or, regular expression PCRE feature.
6. attack a regular shutoff device, it is characterized in that, the shutoff device application that described attack is regularAt security gateway equipment, for each attack rule of having opened, described attack rule comprises rough matchingFeature and exact matching feature, the shutoff device of described attack rule comprises:
Obtain module, in default measurement period, obtain described rough matching feature hit-count,The hit-count of described exact matching feature, the hit-count of described attack rule;
Judge module, for utilizing the hit-count of described rough matching feature, described exact matching featureThe hit-count of hit-count, described attack rule, judges whether to close described attack rule;
Closing module, for when judged result is when being, closes described attack rule.
7. device according to claim 6, is characterized in that,
Described acquisition module, for receiving message in described default measurement period; Whether judge described messageMatch described rough matching feature; If match described rough matching feature, by described rough matchingThe hit-count of feature adds 1, and judges whether described message matches described exact matching feature; IfBe fitted on described exact matching feature, the hit-count of described exact matching feature added to 1, and described in judgementWhether message matches described attack rule, if match described attack rule, by described attack ruleHit-count add 1; In the time that described default measurement period finishes, obtain hitting of described rough matching featureThe hit-count of number of times, described exact matching feature, the hit-count of described attack rule.
8. device according to claim 6, is characterized in that,
Described judge module, for being more than or equal to default the first number when the hit-count of described rough matching featureValue, and the hit-count of described exact matching feature is more than or equal to default second value, and described attacks is regularHit-count while equaling default third value, determine that to close described attacks regular; Wherein, described defaultThe first numerical value is greater than described default second value, and described default second value is more than or equal to described default the 3rd numberValue.
9. device according to claim 6, is characterized in that,
Described closing module, for close described attack rule within the default very first time, and no longer opens instituteState and attack rule; Or, postponing after default the second time, if inquire described the hitting of rule of attackingNumber of times equals default third value, within the default very first time, closes described attack rule, and no longer opensDescribed attack rule; Or, judge whether the number of times that described attack rule is closed continuously reaches N time; AsFruit is no, within the default very first time, closes described attack rule, and after default the 3rd time, opens instituteState and attack rule, return and carry out in default measurement period, obtain hitting of described rough matching feature inferiorThe process of the hit-count of several, described exact matching feature, the hit-count of described attack rule; If so,Within the default very first time, close described attack rule, and no longer open described attack rule.
10. according to the device described in claim 6-9 any one, it is characterized in that,
Described rough matching feature comprises: multi-mode matching AC feature;
Described exact matching feature comprises: option feature, and/or, regular expression PCRE feature.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510707365.2A CN105592061A (en) | 2015-10-27 | 2015-10-27 | Attack rule closure method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510707365.2A CN105592061A (en) | 2015-10-27 | 2015-10-27 | Attack rule closure method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105592061A true CN105592061A (en) | 2016-05-18 |
Family
ID=55931278
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510707365.2A Pending CN105592061A (en) | 2015-10-27 | 2015-10-27 | Attack rule closure method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105592061A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107547533A (en) * | 2017-08-24 | 2018-01-05 | 新华三信息安全技术有限公司 | A kind of characterization rules open method and device |
| CN108446148A (en) * | 2018-01-29 | 2018-08-24 | 北京奇艺世纪科技有限公司 | A kind of method, apparatus and electronic equipment of regulation management |
| CN108615139A (en) * | 2018-03-15 | 2018-10-02 | 阿里巴巴集团控股有限公司 | A kind of business rule inserting method and device |
| CN110213286A (en) * | 2019-06-12 | 2019-09-06 | 四川长虹电器股份有限公司 | It is a kind of based on efficient WAF design method with double engines |
| CN113311809A (en) * | 2021-05-28 | 2021-08-27 | 苗叶 | Industrial control system-based safe operation and maintenance instruction blocking device and method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101707601A (en) * | 2009-11-23 | 2010-05-12 | 成都市华为赛门铁克科技有限公司 | Invasion defence detection method and device and gateway equipment |
| CN101902441A (en) * | 2009-05-31 | 2010-12-01 | 北京启明星辰信息技术股份有限公司 | Intrusion detection method capable of realizing sequence attacking event detection |
| CN103856470A (en) * | 2012-12-06 | 2014-06-11 | 腾讯科技(深圳)有限公司 | Distributed denial of service attack detection method and device |
| CN104852909A (en) * | 2015-04-24 | 2015-08-19 | 杭州华三通信技术有限公司 | Attack detection rule opening method, and equipment |
-
2015
- 2015-10-27 CN CN201510707365.2A patent/CN105592061A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101902441A (en) * | 2009-05-31 | 2010-12-01 | 北京启明星辰信息技术股份有限公司 | Intrusion detection method capable of realizing sequence attacking event detection |
| CN101707601A (en) * | 2009-11-23 | 2010-05-12 | 成都市华为赛门铁克科技有限公司 | Invasion defence detection method and device and gateway equipment |
| CN103856470A (en) * | 2012-12-06 | 2014-06-11 | 腾讯科技(深圳)有限公司 | Distributed denial of service attack detection method and device |
| CN104852909A (en) * | 2015-04-24 | 2015-08-19 | 杭州华三通信技术有限公司 | Attack detection rule opening method, and equipment |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107547533A (en) * | 2017-08-24 | 2018-01-05 | 新华三信息安全技术有限公司 | A kind of characterization rules open method and device |
| CN107547533B (en) * | 2017-08-24 | 2020-10-13 | 新华三信息安全技术有限公司 | Feature rule opening method and device |
| CN108446148A (en) * | 2018-01-29 | 2018-08-24 | 北京奇艺世纪科技有限公司 | A kind of method, apparatus and electronic equipment of regulation management |
| CN108446148B (en) * | 2018-01-29 | 2021-05-07 | 北京奇艺世纪科技有限公司 | Rule management method and device and electronic equipment |
| CN108615139A (en) * | 2018-03-15 | 2018-10-02 | 阿里巴巴集团控股有限公司 | A kind of business rule inserting method and device |
| CN110213286A (en) * | 2019-06-12 | 2019-09-06 | 四川长虹电器股份有限公司 | It is a kind of based on efficient WAF design method with double engines |
| CN113311809A (en) * | 2021-05-28 | 2021-08-27 | 苗叶 | Industrial control system-based safe operation and maintenance instruction blocking device and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10452843B2 (en) | Self-adaptive application programming interface level security monitoring | |
| CN105592061A (en) | Attack rule closure method and device | |
| US10965580B2 (en) | Systems and methods for automated determination of network device transiting data attributes | |
| EP3065367B1 (en) | System and method for automated phishing detection rule evolution | |
| CN105283849B (en) | For the Parallel Tracking of performance and details | |
| CN105283852B (en) | A kind of method and system of fuzzy tracking data | |
| CN113302609A (en) | Detecting inappropriate activity in the presence of unauthenticated API requests using artificial intelligence | |
| CN106415582A (en) | Mitigation of malware | |
| Robles-Durazno et al. | PLC memory attack detection and response in a clean water supply system | |
| CN107392016A (en) | A kind of web data storehouse attack detecting system based on agency | |
| US9251367B2 (en) | Device, method and program for preventing information leakage | |
| CN103875214A (en) | Intelligent phy with security detection for ethernet networks | |
| CN109344611A (en) | Access control method, terminal device and the medium of application | |
| CN103248609A (en) | System, device and method for detecting data from end to end | |
| Tabrizi et al. | Formal security analysis of smart embedded systems | |
| CN110413442A (en) | Parameter verification method and apparatus | |
| CN107665164A (en) | Secure data detection method and device | |
| CN107483502A (en) | A kind of method and device for detecting remaining attack | |
| US8839449B1 (en) | Assessing risk of information leakage | |
| Kang et al. | Dependability arguments with trusted bases | |
| CN116680699A (en) | Vulnerability priority ordering system, vulnerability priority ordering method, computer equipment and storage medium | |
| Desta et al. | Long short-term memory networks for in-vehicle networks intrusion detection using reverse engineered automotive packets | |
| Brunner | Processing intrusion data with machine learning and MapReduce | |
| US8683568B1 (en) | Using packet interception to integrate risk-based user authentication into online services | |
| CN110457196A (en) | The acquisition methods and device of function timing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
| CB02 | Change of applicant information | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160518 |
|
| RJ01 | Rejection of invention patent application after publication |